Maybe you should’ve stuck with NetWare: Hijackers can bypass Active Directory controls
Two security researchers have demonstrated an attack on Active Directory attack that let them insert their own domain controller into an existing enterprise setup.
France-based duo Benjamin Delpy, a contributor to Mimikatz, and Vincent Le Toux took their attack, dubbed DCShadow, to Microsoft’s Blue Hat conference in Israel last week.
DCShadow allows an attacker to create a rogue domain controller in an Active Directory environment, and use it to push malicious objects.
How? Le Toux tweeted a summary:
For those you want the magic explained, #DCShadow is using DrsReplicaAdd (DRSR 4.1.19.2) to trigger a replication.
It modifies the replTo attribute of a DC and triggers and immediate replication.
ReplicaSync doesn’t trigger a replication (cc:@gentilkiwi) because replTo is not set pic.twitter.com/ZxKNhYBZfQ— Vincent Le Toux (@mysmartlogon) January 29, 2018
The presentation (PDF) was unpicked in more detail by Lu Delsalle, a security researcher who specialises in Active Directory, here.
Delsalle explained: “The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain”.
That’s easily spotted, so Delsalle wrote that the attack described by Delpy and Le Toux has to “modify the targeted AD infrastructure database to authorise the rogue server to be part of the replication process”.
He continued: “the main action made by the ‘DCShadow’ attack is to create a new server and nTDSDSA objects in the Configuration partition of the schema”. nTDSDSA objects are described by Microsoft as the replication agent responsible for processing the Directory Replication Service protocol.
That change happens in a privileged environment, though, so the attack needs a way around controls on creating servers and initiating replications. Delsalle explains that Delpy and Le Toux were able to “isolate the minimum set of SPNs required for the replication process to go through. The results of their studies show that two SPNs are required to let another DC to connect to the rogue server” – these being the DRS service class (which has the well-known GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2), and the Global Catalog service class (which has the string “GC”).
From there, the attackers registered a domain controller into the replication environment, and had it authenticated by another domain controller.
The final step is to force a last replication step, with the IDL_DRSReplicaAdd RPC, allowing the attacker to add backdoors into the domain “by adding new member on an administrative group, or by setting SID history on a controlled user account for example)”.
Le Toux noted in a tweet that the attack can be defeated… *reg;
Great article explaining the #DCShadow attack.
Fixes:
– the ntdsa object is removed after the push – detecting its presence is not reliable
– replication is not triggered by KCC but by modification of replTo
– the DC SPN is set by AddEntry (4.1.1.2.3 CreateNtdsDsa) @gentilkiwi https://t.co/k20rZB7AUA— Vincent Le Toux (@mysmartlogon) January 29, 2018
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/dcshadow_active_directory_attack/